echo6-docs/runbooks/utility-caddy-initial-setup.md

# Utility Caddy LXC — Initial Setup

One-time setup. Only needed if rebuilding from scratch.

## Overview

| Item | Value |
|------|-------|
| CT ID | 101 |
| Hostname | caddy |
| Local IP | 192.168.1.101 |
| Tailscale IP | 100.64.0.2 |
| Public access | 199.6.36.163 (router forwards 80/443) |

## 1. Create LXC

```bash
ssh root@192.168.1.241

pct create 101 local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst \
  --hostname caddy \
  --cores 1 \
  --memory 512 \
  --swap 256 \
  --rootfs local-lvm:8 \
  --net0 name=eth0,bridge=vmbr0,ip=192.168.1.101/24,gw=192.168.1.1 \
  --features nesting=1 \
  --unprivileged 1 \
  --password <from .ref/credentials>

# TUN device for Tailscale
cat >> /etc/pve/lxc/101.conf << EOF
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
EOF

pct start 101
```

## 2. Install Tailscale

```bash
pct exec 101 -- bash -c "
echo nameserver 1.1.1.1 > /etc/resolv.conf
apt-get update && apt-get install -y curl
curl -fsSL https://tailscale.com/install.sh | sh
"
```

## 3. Register with Headscale

```bash
pct exec 101 -- tailscale up --login-server https://vpn.echo6.co --hostname caddy

# On Contabo — register the node
ssh root@100.64.0.6 'docker exec headscale-standby headscale nodes register --key <KEY> --user echo6'

# Verify
pct exec 101 -- tailscale status
```

## 4. Install Caddy

```bash
pct exec 101 -- bash -c "
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt | tee /etc/apt/sources.list.d/caddy-stable.list
apt-get update && apt-get install -y caddy
"
```

## 5. Install acme.sh

```bash
pct exec 101 -- bash -c "
curl https://get.acme.sh | sh -s email=admin@echo6.co
"
```

## 6. Create initial Caddyfile

```bash
pct exec 101 -- bash -c "cat > /etc/caddy/Caddyfile << 'EOF'
{
    email admin@echo6.co
}
EOF
systemctl enable caddy
systemctl start caddy"
```

## 7. Router port forward

Forward on your router:
- TCP 80 → 192.168.1.101:80
- TCP 443 → 192.168.1.101:443

## Done

Add services using the expose-service-home.md runbook.
Initial commit: infrastructure documentation Includes: - Hardware environment reference (Proxmox cluster, VMs, LXCs) - Services inventory with current deployments - Caddy & DNS configuration reference - Runbooks for common deployment procedures Recent additions: - SearXNG deployment (utility CT 102, search.echo6.co) - TOC conversion to Proxmox with cortex VM - Syncthing sync between Contabo and cortex Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-06 21:27:29 +01:00			`# Utility Caddy LXC — Initial Setup`

			`One-time setup. Only needed if rebuilding from scratch.`

			`## Overview`

			`\| Item \| Value \|`
			`\|------\|-------\|`
			`\| CT ID \| 101 \|`
			`\| Hostname \| caddy \|`
			`\| Local IP \| 192.168.1.101 \|`
			`\| Tailscale IP \| 100.64.0.2 \|`
			`\| Public access \| 199.6.36.163 (router forwards 80/443) \|`

			`## 1. Create LXC`

			```bash
			`ssh root@192.168.1.241`

			`pct create 101 local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst \`
			`--hostname caddy \`
			`--cores 1 \`
			`--memory 512 \`
			`--swap 256 \`
			`--rootfs local-lvm:8 \`
			`--net0 name=eth0,bridge=vmbr0,ip=192.168.1.101/24,gw=192.168.1.1 \`
			`--features nesting=1 \`
			`--unprivileged 1 \`
			`--password <from .ref/credentials>`

			`# TUN device for Tailscale`
			`cat >> /etc/pve/lxc/101.conf << EOF`
			`lxc.cgroup2.devices.allow: c 10:200 rwm`
			`lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file`
			`EOF`

			`pct start 101`
			```

			`## 2. Install Tailscale`

			```bash
			`pct exec 101 -- bash -c "`
			`echo nameserver 1.1.1.1 > /etc/resolv.conf`
			`apt-get update && apt-get install -y curl`
			`curl -fsSL https://tailscale.com/install.sh \| sh`
			`"`
			```

			`## 3. Register with Headscale`

			```bash
			`pct exec 101 -- tailscale up --login-server https://vpn.echo6.co --hostname caddy`

			`# On Contabo — register the node`
			`ssh root@100.64.0.6 'docker exec headscale-standby headscale nodes register --key <KEY> --user echo6'`

			`# Verify`
			`pct exec 101 -- tailscale status`
			```

			`## 4. Install Caddy`

			```bash
			`pct exec 101 -- bash -c "`
			`apt-get install -y debian-keyring debian-archive-keyring apt-transport-https`
			`curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key \| gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg`
			`curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt \| tee /etc/apt/sources.list.d/caddy-stable.list`
			`apt-get update && apt-get install -y caddy`
			`"`
			```

			`## 5. Install acme.sh`

			```bash
			`pct exec 101 -- bash -c "`
			`curl https://get.acme.sh \| sh -s email=admin@echo6.co`
			`"`
			```

			`## 6. Create initial Caddyfile`

			```bash
			`pct exec 101 -- bash -c "cat > /etc/caddy/Caddyfile << 'EOF'`
			`{`
			`email admin@echo6.co`
			`}`
			`EOF`
			`systemctl enable caddy`
			`systemctl start caddy"`
			```

			`## 7. Router port forward`

			`Forward on your router:`
			`- TCP 80 → 192.168.1.101:80`
			`- TCP 443 → 192.168.1.101:443`

			`## Done`

			`Add services using the expose-service-home.md runbook.`